The fine print
CatalystView publishes information drawn from public SEC filings, paired with AI-generated commentary. Nothing here is investment advice — please read these before relying on anything you see.
Privacy Policy
Last updated · June 10, 2026
Data controller
CatalystView (catalystview.xyz) is operated by an individual based in the Republic of Lithuania, who acts as the “controller” under Regulation (EU) 2016/679 (the GDPR) and Lithuanian data-protection law. Data-protection contact: privacy@catalystview.xyz. As a small operator we have not appointed a Data Protection Officer; the operator handles all data-protection matters personally.
What this policy covers
This explains what personal data CatalystView collects, why, how we use and share it, and your rights. It applies to visitors, registered account holders, and email subscribers. CatalystView is currently free to use (with optional, voluntary donations). We ask for the minimum personal data needed to run the Service and we do not sell personal data to anyone.
Categories of personal data
| Category | Examples | Source |
|---|---|---|
| Account data | Email, display name, profile image (if provided), auth provider ID | You / Clerk |
| Subscription data | Email address you give to receive the daily brief or alerts | You |
| Usage data | Pages visited, signals viewed, watchlist items, device type, approximate location from IP | Automatic |
| Technical data | IP address, browser, OS, referrer, timestamps, error logs | Automatic |
| Communications | Emails you send us; alerts we send you (and delivery metadata) | You / Resend |
We do not knowingly collect data from children under 18, special-category data (Art. 9 GDPR), or criminal-conviction data.
Purposes and legal bases
- Provide the Service — create and authenticate your account, deliver signals, manage watchlists. Art. 6(1)(b) GDPR.
- Send the emails you opted into — the daily brief, signal alerts, account and security notices. Art. 6(1)(b) & (f).
- Operate, secure, and improve the Service — debugging, abuse prevention, capacity planning, aggregate analytics. Art. 6(1)(f).
- Comply with law — respond to lawful requests, defend legal claims. Art. 6(1)(c) & (f).
We do not make automated decisions that produce legal or similarly significant effects (Art. 22). The AI commentary you see is generated from public SEC filings, not from your personal data.
What we set
- Strictly necessary cookies set by our authentication provider to keep you signed in.
- Privacy-friendly, cookieless analytics from our host that records aggregate page-view and performance metrics. It does not use third-party cookies or build cross-site profiles.
Because we rely only on strictly-necessary cookies and cookieless analytics, we do not show a consent banner. If we ever add non-essential cookies or marketing trackers we will request your prior consent under the ePrivacy Directive.
Who we share data with
We use a small number of service providers that act only on our documented instructions:
| Processor | Purpose | Safeguard |
|---|---|---|
| Clerk, Inc. | Authentication, sessions, profiles | USA — EU SCCs |
| Vercel, Inc. | Hosting, edge delivery, cookieless analytics | USA/EU edge — SCCs, EU-US DPF |
| Resend, Inc. | Sending the daily brief and alert emails | USA — SCCs |
| OpenRouter | Routing prompts to LLMs that summarise public filings; no personal data is sent in prompts | USA — SCCs where applicable |
We may also disclose data where required by law or to defend our rights. We do not sell personal data or engage in cross-context behavioural advertising.
Data leaving the EEA
Several processors are in the United States. Where personal data leaves the EEA we rely on the European Commission's Standard Contractual Clauses and, where the recipient is certified, the EU-US Data Privacy Framework. Request a copy of the relevant safeguard by emailing us.
How long we keep your data
- Account data: while your account exists, plus up to 30 days after deletion to allow restore.
- Subscription email: until you unsubscribe (one click in every email), plus a short suppression record so we don't email you again.
- Email & web logs: up to 12 months for deliverability and abuse-prevention; longer only in aggregated, non-identifiable form.
- Support emails: up to 24 months after the issue is resolved.
What you can ask us to do
Under the GDPR and Lithuanian law you have the right to:
- Access the data we hold about you (Art. 15);
- Rectify inaccurate or incomplete data (Art. 16);
- Erase your data (Art. 17);
- Restrict certain processing (Art. 18);
- Portability — a machine-readable copy you can transmit elsewhere (Art. 20);
- Object to processing based on legitimate interests (Art. 21);
- Withdraw consent at any time, without affecting prior lawful processing.
To exercise any of these, email privacy@catalystview.xyz. We respond within one month (extendable by two for complex requests) and may need to verify your identity first. You may also complain to the Lithuanian State Data Protection Inspectorate (vdai.lrv.lt) or your own EU supervisory authority.
How we protect your data
We rely on industry-standard infrastructure: TLS in transit, encryption at rest with our hosting and authentication providers, hardened password storage handled by Clerk, least-privilege access, and regular dependency updates. No system is perfectly secure; if we discover a personal-data breach likely to risk your rights, we will notify the supervisory authority within 72 hours and, where the risk is high, notify affected users without undue delay (Art. 33–34 GDPR).
Age requirement and updates
The Service is not directed at children under 18 and we do not knowingly collect their data; if you believe a child has provided data, contact us and we will delete it. We may update this policy from time to time — the “Last updated” date reflects the current version, and we will communicate material changes via the Service and, where appropriate, by email before they take effect.